EnvironmentAttributeDesignator current-date issue

[niro]

Hi,

Previously I was using herasaf-xacml-core 1.0.0-M2 and was using EnvironmentAttributeDesignator to perform date comparisons. But I recently upgraded to herasaf-xacml-core 1.0.0.M3-SNAPSHOT and the EnvironmentAttributeDesignator no longer works for me. Has there been any change in the CORE? Please refer the code snippet:

• <Apply
     FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-greater-than-or-equal">
     <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only">
        <EnvironmentAttributeDesignator
           DataType="http://www.w3.org/2001/XMLSchema#date" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-date" />
     </Apply>
     <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only">
        <SubjectAttributeDesignator
           AttributeId="urn:oassis:names:tc:xacml:1.0:subject:date"
           DataType="http://www.w3.org/2001/XMLSchema#date" />
     </Apply>               
  </Apply>

Regards,
Niro

[Florian Huonder]

Hi Niro,

No, there should not have been any changes to the designators.
Could you post some more information about the error?
What is the behavior now? Can you post the log output?

Best regards,
Florian

[niro]

Hi Florian,

Thanks for the response. There are no errors in the log. The strange thing is when I add the mentioned condition in the Policy then the Request evaluates to Intermediate and If I remove the condition completely the Request evaluates to Permit. Should I manually send the EnvironmentAttributeDesignator with id="current-date" in the Request itself?


Regards,
Niroj

[René Eggenschwiler]

Hi Niro

Could you please attach your complete policy and the according request you use.
It's not possible for us to just find out what's wrong with only the snipplet of the apply itself.
We need a little bit more context.

Did you configure logging correctly? Do you get Debug-messages in your log file?
Please have a look at the chapter "Configuration of Logging MDC": http://dev.herasaf.org/wiki/display/XACMLCORE/GettingStarted

Regards,
René

[niro]

Hi René,

Thanks for the quick response. I have attached here a small test policy/ test request and the logger output.

Regards,
Niro

[René Eggenschwiler]

Hi Niro

I have a suspicion of the failure. But to be sure and find out if my suspicion is correct, i need a liite bit more info.

Can you please tell me the lines of code you use to create the Request.
Do you use RequestContextFactory or do you use the RequestUnmarshaller or do you directly create a RequestType by yourself in the code?
Please simply just paste those 3 or four lines of code where you create the request...

Regards,
René

[niro]

Hi René,

Thank you very much for such a quick response. As for the request Type is read an XML file and send it as string to my method and generate the RequestType using the RequestMarshaller.

public boolean evaluate(String request){
      try{
         RequetType requestType = RequestMarshaller.unmarshal(convertToInputStream(request));

The convertToInputStream method looks like:

InputStream is = new ByteArrayInputStream(string.getBytes("UTF-8"));

Regards,
Niro

[René Eggenschwiler]

Hi Niro

I can reproduce the behaviour in my small test case. It seems that our RequestType unmarshalling doesnt behave really correct.
You probably found a bug. :-)

At least when I try the following lines:

Code:

testRequest = RequestMarshaller.unmarshal(this.getClass().getResourceAsStream("/test-request.xml"));

I get a wrong RequestType returned.

Reasoning Context:

• You have an AttributeDesignator that is searching for an Attribute current-date in the request
• Your request only contains subject-id and dateofbirth
• So the attribute Designator can't find the attrbute value current-date and returns an indeterminate

So far that's all correct.

But now to the most probably wrong part:

• The XACML specification specifies that if there's no current-date given in the reuquest manually, then the environment attributes should be created then when the request is beeing created
• For us that means during unmarshalling we should generate those environment attributes automically at unmarshalling time if they are not manually already in the request
• It looks like the autmaic generation of those attributes doesn't work at the moment.

So as a workaround: specify manually the current-date attribue in your request.xml. That should then work.

I'll figure out in the meantime wher exactly our bug is located.

Regards,
René

[niro]

Thank you very much for your help and your response.

For now I will add the current-date to the request manually.

Regards,
Niro

[René Eggenschwiler]

Hi Niro

I've created an issue in our Tracker: http://dev.herasaf.org/browse/XACMLCORE-179

You can register yourself as a watcher for that issue. Then you'll be notified as soon we have updates on it.

Regards,
René

[René Eggenschwiler]

Hi Niro

I also found a fault in your request:

Code:

<Attribute
      AttributeId="urn:oasis:names:tc:xacml:2.0:subject:dateofbirth"
      DataType="http://www.w3.org/2001/XMLSchema#anyURI">
      <AttributeValue>1990-01-01</AttributeValue>
</Attribute>

You use the wrong datatype in your attribute: DataType="http://www.w3.org/2001/XMLSchema#anyURI"
It should be: DataType="http://www.w3.org/2001/XMLSchema#date"

Then it works as expected.

Regards,
René

[René Eggenschwiler]

Hi Niro

For the problem with the auto-generation i added a patch to http://dev.herasaf.org/browse/XACMLCORE-179 with a small fix in RequestType.

I also attach it to my forum post.

If you apply this patch to the HERAS-AF XACMl Core 1.0.0.M3-SNAPSHOT source, then it wouldn't be necessary to add the environment attributes manually to the request anymore.
They will then be auto-generated at unmarshalling a request.

Regards,
René